I want to talk more about a technology in the room I want I was touched A previous article: systemd-nspawn.
systemd-nspawn An internal administrator that allows you to operate a perfect operating system or a command to a ruler in directory. Peptwal, it is similar to stonerable chrootBut it’s safer.
while chroots that makes the choice of filesystem, they do not give any security benefits that cgroups and namespaces giving up. Furthermore, they are not easy to setup, unless, of course, you use a tool debootstrap or pacstrap.
View my previous use articles
chrootIn some beautiful ways:
systemd-nspawnOn the other hand, gives you a lot of security and configuration as you want and configure and easily configure as known as tools like a docker).
To make a container, systemd-nspawn expect a root filesystem and optional a JSON Container configuration file, which is of course carrying a OCI Runtime Bundlebecause systemd-nspawn is fully obeying OCI. Those familiar with desirable tools runc are familiar with this requirement.
One is available in most of the same methods to obtain a root filesystem (roots) as document in my article in
runc.
By using the machine option (--machine or -M) with systemd-nspawnThe operating system (root filesystem) automatically sought in a single couple, especially /var/lib/machineswhich is the recommended directory of the system.
The purpose of this article is easy and successfully outline many ways to start using vessels systemd-nspawn. Hope, it will also encourage you to think more critical of the tools like Docker and find out if all the people who surround them need to believe.
We will run at the Tor Browser in a handled container systemd-nspawn.
Note that the following thoughts are made:
-
systemd-nspawnalready installed in your system.$ sudo apt install systemd-container -
All of the following examples would think that the current work directory
/var/lib/machines. -
All orders are run as the
rootusers to save typingsudofor each command.
Hey, ho, let’s go.
systemd-nspawn File setting
What is a content setting file? This is an option it-Sama file containing startup configurations available in your content of systemd-nspawn Container Manager. Any choice of command line provided to systemd-nspawn can be placed in the setting file, even if names differ (see docs). Just write it in file and let systemd-nspawn worry about others. Not a bad deal, friend.
If you are familiar with systemd Service files, then this is familiar with you.
the systemd-nspawn The content setting file is named in the content it used. For example, our container is called tor-browserSo the file should be called tor-browser.nspawn. That’s easy.
Where do they go? That’s a wonderful question, Geezer!
The algorithm assesses the following locations, in order:
/etc/systemd/nspawn//run/systemd/nspawn//var/lib/machines/
Continue settings file should be placed on /etc/systemd/nspawn/and, unlike the location of no privilege (see below), each setting that contains it will be implemented because it is a privileged location (ie, privileged locations should be accessible at least what configs in /etc directory).
make not Put anything
/run/systemd/nspawn/that you want to live a reboot, as the/runFileSystem is temporary and any amount of runtime data placed in easy memory.$ df /run --output=fstype Type tmpfs
However any files setting found in non-privileged /var/lib/machines Location has only one subset of the settings applied. As you know, any settings emphasize privileges or additional capabilities are ignored. These are unintentional or unexamined files downloaded from frightening internet does not cause inappropriate harm and are not automatically used in creative creation.
In order for the tor browser to use properly, the following systemd-nspawn The file should be installed at /etc/systemd/nspawn:
tor-browser.nspawn
(Exec)
DropCapability=all
Environment=DISPLAY=:0
Hostname=kilgore-trout
NoNewPrivileges=true
Parameters=./start-tor-browser --log /dev/stdout
PrivateUsers=true
ProcessTwo=true
ResolvConf=copy-host
Timezone=copy
User=noroot
WorkingDirectory=/usr/local/bin/tor-browser
This is equivalent to the following command line statement:
$ sudo systemd-nspawn \
--drop-capability all \
--setenv DISPLAY=:0 \
--hostname kilgore-trout \
--no-new-privileges true \
--private-users true \
--as-pid2 \
--resolv-conf copy-host \
--timezone copy \
--user noroot \
--directory tor-browser \
bash -c "/usr/local/bin/tor-browser/start-tor-browser --log /dev/stdout"
Clearly the settings file is easier and allow us to start the content by typing:
$ sudo systemd-nspawn --machine tor-browser
Besides, there are many parameters we can, such as calling the filtering system, tie the mounts, overlay or unload mounting points, but more from this article. And we have not covered the (FILE) and (NETWORK) Setting Section Sections.
If one is
systemd-nspawnThe settings files are not present, the container will still launch, but in a virtual shell.
Let’s see some examples now.
Examples
docker export
Here’s our old “friend” docker export. While the docker makes it easy to get a root of the root in a container as a tarball, it should, good, good, Docker to do it. That breasts.
I don’t know about you, but I don’t want lots of technology in the room / in runtinies / managers at my base system. Because most of the distros are already used systemdThe ability to create and run vessels is installed and just waiting for your fat small fingers to type the necessary orders.
So, installing software plus software to run vessels when you that Let the ability to run contents not good. It’s like installing an editor like Visual Studio Code if you have VIM.
I am angry with the use of the Docker in my personal projects for convenience, and it is exactly how I caused to move from it. The convenience is the plague of understanding.
Anyway, my digress. Here’s a simple way to run Tor Browser as a systemd-nspawn container:
$ sudo mkdir tor-browser \
&& docker export $(docker create btoll/tor-browser:latest) \
| tar -x -C tor-browser
$ sudo systemd-nspawn -M tor-browser
the Dockerfile used to make this image in frank container.
Due to the convenience of Dockerfile, the Docker has made it easier to create a container with some preparation already applied.
However, as I can show the next, it is not an effort to make a shell script from dokerfile to do the same thing. Shell scripts are some of our best friends!
And after all, it’s a relatively a container to install Docker as a passage for systemd-nspawn. Wouldn’t it be better to learn other ways to take a vein filesystem?
Which brings us to …
debootstrap
I used to debootstrap for many years. This is a very good way to quickly and easily bootstrap a chroot By downloading a root filesystem with optional packages.
As mentioned last for example, I did a Shell script which reserve the container, and it is a simple step in copying it with the new OS wood made to debootstrap.
To run the script, we chroot inner (well, what is CAN the content).
$ sudo debootstrap \
--arch=amd64 \
--variant=minbase \
bullseye \
tor-browser \
http://deb.debian.org/debian
$ sudo cp install_tor_browser.sh tor-browser/
$ sudo chroot tor-browser/
---
### Run the installer script in the chroot.
---
root@sulla:/# ./install_tor_browser.sh
root@sulla:/# exit
$ sudo systemd-nspawn --machine tor-browser
That’s easy! There is no big deal.
If we want to share it with a friend or import it to another tool, we can export the container as a tarball and upload it to a server. This can allow us later download and create and run vessels (same concept as Docker Hub).
$ sudo machinectl export-tar tor-browser tor-browser.tar.xz
After stopping the container, anyone who wants to use it can only download it and run it without doing the above setup measures (copying and installing).
We can see an example of how we pull the tarball from a remote server.
mkosi
A tool Lennart Beettering,, mkosi an easy way to make a OSI (operating system image) or os wood for use of systemd-nspawn And any internal technology can “eat” a root filesystem. Python written, well documented (see this Man’s page) and easy to use.
There are many options and cool parts but covering it outside the scope of this article.
Making an osi is easy. Here you go:
$ sudo apt install mkosi -y
$ sudo mkosi \
--distribution debian \
--release bullseye \
--format gpt_ext4 \
--postinst-script install_tor_browser.sh
--with-network \
-o tor-browser.raw
$ sudo systemd-nspawn --machine tor-browser
Note that I am giving the mkosi Equipped with install_tor_browser.sh script as an amount of --postinst-script. It can save us a couple of steps we need to do manually if used debootstrap In the last example, which is:
- Copying script from host to
chroot. - Log in to
chroot. - Imposing script.
Easy page.
machinectl pull-tar
We simply download the tarball from A previous instance and run it as-existing. Tor Browser is not required to rate the script installation, of course.
$ sudo machinectl pull-tar \
http://example.com/tor-browser.tar.xz \
tor-browser
$ sudo systemd-nspawn \
--resolv-conf copy-host \
--machine tor-browser
Even if it’s not necessary here, I’m attached to
--resolv-confOption here to show how easy it is to take a DNS resolution for the contents of need.
machinectl pull-raw
I don’t use it so much, but I added it here for its usefulness.
$ sudo machinectl pull-raw \
http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img \
rootfs
$ sudo systemd-nspawn --machine rootfs
Spawning container rootfs on /var/lib/machines/rootfs.raw.
Press ^) three times within 1s to kill container.
root@rootfs:~#
Note that
mkosican also build an image you can use here as the subject ofpull-raw.
Many commands
It’s not close to a comprehensive list. For example, you can copy files to and from a running container, but I don’t have any example for that.
As always, read the docs.
selling
As we saw, we could easily export a root filesystem in a container as a tarball. Then, just upload it to a available storage area for other people and processes.
It is the same workflow that surrounds hundreds of thousands of years.
$ sudo machinectl export-tar tor-browser tor-browser.tar.xz
Also, export as image:
machinectl export-raw
List running content
$ machinectl list
MACHINE CLASS SERVICE OS VERSION ADDRESSES
tor-browser container systemd-nspawn debian 11 -
ubuntu-focal container systemd-nspawn ubuntu 20.04 -
List all the contents
From Man Page:
list-images
Show a list of locally installed container and VM images. This enumerates all raw
disk images and container directories and subvolumes in /var/lib/machines/ (and
other search paths, see below). Use start (see above) to run a container off one
of the listed images. Note that, by default, containers whose name begins withs
a dot (".") are not shown. To show these too, specify --all. Note that a special
image ".host" always implicitly exists and refers to the image the host itself is
booted from.
$ machinectl list-images
NAME TYPE RO USAGE CREATED MODIFIED
hugo directory no n/a n/a n/a
tor-browser directory no n/a n/a n/a
2 images listed.
List all the contents without the header and footer:
$ machinectl list-images --no-legend
hugo directory no n/a n/a n/a
tor-browser directory no n/a n/a n/a
List the transitions
Download and export can take a long time. Let’s check the situation!
$ sudo machinectl list-transfers
ID PERCENT TYPE LOCAL REMOTE
1 n/a export-tar tor-browser
1 transfers listed.
Ask the status of the content
$ sudo machinectl status tor-browser
tor-browser(88544b92092430bc5d3fbbffc12a2f04)
Since: Fri 2022-02-04 19:54:28 EST; 4h 29min ago
Leader: 1380829 ((sd-stubinit))
Service: systemd-nspawn; class container
Root: /var/lib/machines/tor-browser
OS: Debian GNU/Linux 11 (bullseye)
Unit: machine-tor\x2dbrowser.scope
...
Delete the content
If you absolutely sure you have done this, you can get the machine and the systemd-nspawn USA Service File falls in swoop:
$ sudo machinectl remove tor-browser
Run different orders to OS Tree
$ sudo systemd-nspawn -M tor-browser --quiet uname -a
Linux kilgore-trout 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 GNU/Linux
$ sudo systemd-nspawn -M tor-browser --quiet du -hs
264M .
$ sudo systemd-nspawn -M tor-browser --quiet cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ sudo systemd-nspawn -M tor-browser --quiet df -h
Filesystem Size Used Avail Use% Mounted on
/dev/nvme0n1p2 468G 61G 384G 14% /
tmpfs 1.6G 0 1.6G 0% /tmp
tmpfs 4.0M 0 4.0M 0% /dev
tmpfs 1.6G 0 1.6G 0% /dev/shm
tmpfs 3.1G 12K 3.1G 1% /run
tmpfs 1.6G 1.9M 1.6G 1% /run/host/incoming
tmpfs 4.0M 0 4.0M 0% /sys/fs/cgroup
fzf
Using the amazing command-line Fuzzy Finder Tool (fzf), I write a simple bash function to list all the images of the machine at /var/lib/machines and allowed you to choose one. Once selection was made, it would make and launch the container:
nspawn() {
sudo systemd-nspawn --machine \
$(machinectl list-images --no-legend | awk '{ print $1 }' | fzf) \
--quiet
}
Finally
This article can also be called "On Getting Rid of Docker"Because it’s one of my goals. After all, if you run a Linux distro, chance the needy. systemdso why not use systemd-nspawn?
No need to install containerd and runcWhat requirements are installed and installed by default. I don’t have anything against them, think about you, and systemd-nspawn may not be the best tool for work.
Unfortunately, mostly, most of the most developers do not know that there are options outside the Docker, or that they are not “easy”. Hope, this article annoys some of that idea.
References
2025-02-21 11:00:00
